> Key strength changes because we predict when a key will /cease being secure/.
Yes, we use keys up the gradient of security that key size represents as attacks become more powerful. The reason we don't use the more secure keys in the first place isn't that 2048b keys weren't always more secure than 1024b keys -- it's just that we didn't (for most purposes) need to be that secure, and so we choose an appropriate spot on the gradient for our cost-benefit analysis.
Pretending that's not a gradient of security is simply dishonest.
> That said most of the demands made by DoJ aren't for reduced key size, they're for variations of key /escrow/: literally breaking the security model of crypto entirely.
That's missing the plot for the details: the DoJ wants a method by which they can break into digital safes in a manner similar to physical safes. Their proposal is key escrow, but that's partly because technologists didn't suggest a better way when the DoJ simply asked to get it done with little guidance. So they made a specific ask. And it sucks -- because they're not technologists. Everyone knows it, but the DoJ isn't inclined to let people flat out refuse.
Pretending that there aren't technical solutions with transparent ruses -- like there aren't gradients of security -- are how we got to lawyers demanding technical features.
I don't disagree with you that we should use secure protocols, I'm just saying we need to hold ourselves accountable for honest and strong arguments, not ruses.
The one you end on -- that using ephemeral keys is fundamentally a stronger algorithm that doesn't work well with long term taps -- is a strong argument. Much better than things like "there aren't security gradients" -- partly because they're actually true.
No one came up with a better "solution" than escrow because there is not one.
I've spent years of my life working on making it so people don't have to risk their information whenever it touches a computer.
Key length is a measure of how long you want the key to be secure. Also note that we tried that once in the past: DES had a deliberately crippled key space. That was resulting in terrible security bugs only a few years ago.
> No one came up with a better "solution" than escrow because there is not one.
I keep seeing this statement being made whenever this topic comes up. Yet I've never seen a formal impossibility result.
It's amazing. Cryptographers are the smartest people in the world when it comes to solving most problems. (Just ask them!)
But seriously, some of the stuff they can do is like magic. Things that, intuitively, sound like they should be impossible. For example:
Zero knowledge proofs? Can do.
Oblivious transfer? Sure thing.
Fully homomorphic encryption? Coming right up!
But then the DOJ says they want some way to investigate the Texas shooter's phone without also getting access to everyone else's data. And suddenly the whole community is like "I dunno man, aren't you just asking me to 'nerd harder'? ¯\_(ツ)_/¯ lololol"
It was cute at first, but if we keep it up we're going to start burning through our credibility real soon.
Yes, we use keys up the gradient of security that key size represents as attacks become more powerful. The reason we don't use the more secure keys in the first place isn't that 2048b keys weren't always more secure than 1024b keys -- it's just that we didn't (for most purposes) need to be that secure, and so we choose an appropriate spot on the gradient for our cost-benefit analysis.
Pretending that's not a gradient of security is simply dishonest.
> That said most of the demands made by DoJ aren't for reduced key size, they're for variations of key /escrow/: literally breaking the security model of crypto entirely.
That's missing the plot for the details: the DoJ wants a method by which they can break into digital safes in a manner similar to physical safes. Their proposal is key escrow, but that's partly because technologists didn't suggest a better way when the DoJ simply asked to get it done with little guidance. So they made a specific ask. And it sucks -- because they're not technologists. Everyone knows it, but the DoJ isn't inclined to let people flat out refuse.
Pretending that there aren't technical solutions with transparent ruses -- like there aren't gradients of security -- are how we got to lawyers demanding technical features.
I don't disagree with you that we should use secure protocols, I'm just saying we need to hold ourselves accountable for honest and strong arguments, not ruses.
The one you end on -- that using ephemeral keys is fundamentally a stronger algorithm that doesn't work well with long term taps -- is a strong argument. Much better than things like "there aren't security gradients" -- partly because they're actually true.